Arrested the creators of the world's largest botnet Mariposa
Most recently, we wrote about the struggle of Microsoft with the Waledac botnet . And now the victory of justice triumphed again - it was possible to detain directly the creators of another botnet called Mariposa. This is the largest botset, according to analytical data, consisting of almost 13 million machines of infected users. In addition to ordinary users, it included bots from banks and large companies from more than 190 countries of the world.
So, this week it became known about the arrest of the three creators of Mariposa, who have Spanish roots. Mariposa (in Spanish “butterfly”) began to attract attention from antivirus companies in early 2009, and got its name thanks to the text “butterfly dot sinip dot es” found on the website of one of the command centers. This botnet was organized by malware belonging to the Win32 / Peerfrag family . The worm spreads in several ways, which caused the organization of a multi-million botnet:
')
- infects shared folders for peering networks Ares Galaxy, BearShare, DC ++, eMule
- sends instant messaging programs on behalf of an infected user, containing a link to the worm
- infects removable media by modifying autorun file
Win32 / Peerfrag features are quite extensive:
- remote installation of additional malicious modules and their activation
- implementation of DDoS attacks
- theft of personal and financial data (credit card numbers or payment systems)
Cybercriminals created their botnet based on the so-called bot kit they bought for this purpose. Recently, we have already written about similar kits for building botnets and their difficult competition . The worm is written quite professionally and has many mechanisms onboard that complicate reverse analysis and detection:
- frequent updates and modifications of worm instances, which allow to bypass signature detection
- opposition to launch on virtual machines and in sandboxes
- secure protocol for interaction with the command center
The network protocol of interaction of this botnet was analyzed in detail by the company Palo Alto Networks, which developed a special plug-in for the Wireshark network analyzer, which allowed Mariposa to analyze the network traffic.
Currently, there are about 300 different modifications of this worm in our anti-virus laboratory. A detailed analysis of Mariposa can be found in the document created by the working group during the investigation of the incident.
It was possible to catch the intruders by chance, when it became known that the command centers were located in Spain. They managed to close with the collaboration of hosting providers, which allowed to decapitate Mariposa. However, one of the cybercriminals tried to reconnect with the botnet using his home computer, and even in response to the offenders made a DDoS attack. Thus, the offender betrayed himself, since usually all connections were made only using a VPN.
By the way, Microsoft cites the following statistics on Mariposa’s incidents recorded by it.
According to Microsoft, the total number of recorded incidents is 1,183,728, and 1,031,097 PCs are cured. This is only one thirteenth part of the Mariposa botnet.
So, this week it became known about the arrest of the three creators of Mariposa, who have Spanish roots. Mariposa (in Spanish “butterfly”) began to attract attention from antivirus companies in early 2009, and got its name thanks to the text “butterfly dot sinip dot es” found on the website of one of the command centers. This botnet was organized by malware belonging to the Win32 / Peerfrag family . The worm spreads in several ways, which caused the organization of a multi-million botnet:
')
- infects shared folders for peering networks Ares Galaxy, BearShare, DC ++, eMule
- sends instant messaging programs on behalf of an infected user, containing a link to the worm
- infects removable media by modifying autorun file
Win32 / Peerfrag features are quite extensive:
- remote installation of additional malicious modules and their activation
- implementation of DDoS attacks
- theft of personal and financial data (credit card numbers or payment systems)
Cybercriminals created their botnet based on the so-called bot kit they bought for this purpose. Recently, we have already written about similar kits for building botnets and their difficult competition . The worm is written quite professionally and has many mechanisms onboard that complicate reverse analysis and detection:
- frequent updates and modifications of worm instances, which allow to bypass signature detection
- opposition to launch on virtual machines and in sandboxes
- secure protocol for interaction with the command center
The network protocol of interaction of this botnet was analyzed in detail by the company Palo Alto Networks, which developed a special plug-in for the Wireshark network analyzer, which allowed Mariposa to analyze the network traffic.
Currently, there are about 300 different modifications of this worm in our anti-virus laboratory. A detailed analysis of Mariposa can be found in the document created by the working group during the investigation of the incident.
It was possible to catch the intruders by chance, when it became known that the command centers were located in Spain. They managed to close with the collaboration of hosting providers, which allowed to decapitate Mariposa. However, one of the cybercriminals tried to reconnect with the botnet using his home computer, and even in response to the offenders made a DDoS attack. Thus, the offender betrayed himself, since usually all connections were made only using a VPN.
By the way, Microsoft cites the following statistics on Mariposa’s incidents recorded by it.
According to Microsoft, the total number of recorded incidents is 1,183,728, and 1,031,097 PCs are cured. This is only one thirteenth part of the Mariposa botnet.
Source: https://habr.com/ru/post/86533/
All Articles